Skip to content 
Learn how to Fix Files and Folders Permissions after malware attacks using a one-click PHP script to restore secure 644 and 755 permissions fast.
If you’ve ever dealt with a hacked website, you already know how messy things can get. One of the most common issues after a malware attack is broken or incorrectly changed permissions. In many cases, attackers modify file and directory access levels to maintain control or block you from managing your own site. That’s why learning how to Fix Files and Folders Permissions quickly and safely is critical for restoring your website’s security and functionality.
In this guide, I’ll walk you through a practical, real-world solution that works on most Linux-based hosting environments. Whether you’re running a WordPress website, a custom PHP project, or a simple static site, this method helps you reset permissions in one click using a PHP script. No advanced server knowledge required, and no manual chmod commands on hundreds of files.
Why Malware Changes Files and Folders Permissions
When malware infects a website, it rarely stops at injecting code. One of its common tactics is altering file permissions to:
-
Prevent site owners from editing or deleting infected files
-
Allow malicious scripts to execute freely
-
Lock down directories to avoid detection
-
Break WordPress core, plugins, or themes intentionally
For example, you might notice that WordPress updates fail, images won’t upload, or your admin panel throws “permission denied” errors. These are classic signs that file permissions are no longer set correctly.
On Linux servers, incorrect permissions can completely break your website—even after malware removal. That’s why fixing permissions is a mandatory step in any malware cleanup process.
Understanding Correct Linux Permissions (Quick Overview)
Before we jump into the fix, it’s important to understand what “correct” permissions usually mean.
-
Files:
644-
Owner: Read & Write
-
Group: Read
-
Public: Read
-
-
Folders (Directories):
755-
Owner: Read, Write & Execute
-
Group: Read & Execute
-
Public: Read & Execute
-
These values are widely recommended for PHP applications and WordPress sites because they balance security and usability. Deviating from them (like using 777) may temporarily solve errors but creates serious security risks.
Fix Files and Folders Permissions Quickly
After a malware attack, manually fixing permissions via FTP or cPanel can take hours—especially on large websites. The fastest approach is to automate the process.
Here’s a one-click PHP solution that recursively scans all files and folders and restores safe permissions automatically.
Step 1: Create a PHP File
Create a new file in your website’s root directory. You can name it anything, for example:
fixpermissions.php
Step 2: Add the Following Code
Paste the code below into the file:
<?php
function fix_permissions($path) {
if (is_dir($path)) {
chmod($path, 0755);
$files = scandir($path);
foreach ($files as $file) {
if ($file != '.' && $file != '..') {
fix_permissions($path . '/' . $file);
}
}
} else {
chmod($path, 0644);
}
}
$root = __DIR__; // current directory
fix_permissions($root);
echo "Permissions fixed successfully.";
?> This script works recursively. That means it goes through every folder and file inside your site and applies:
-
755 to all directories
-
644 to all files
Step 3: Run the Script in Browser
Once the file is uploaded:
-
Open your browser
-
Visit: https://yourwebsite.com/fixpermissions.php
-
You should see the message: “Permissions fixed successfully.”
That’s it. Your files and folders permissions are now reset.
Should You Run It More Than Once?
Yes. It’s completely safe to run this script multiple times, especially if:
-
Your site was heavily infected
-
New files were added during cleanup
-
Hosting cache or deployment tools modified permissions again
Each run simply re-applies the same secure permission rules.
Where This Method Works Best
This approach works perfectly on:
-
Shared hosting (cPanel, DirectAdmin, Plesk)
-
VPS or dedicated servers
-
WordPress, Laravel, or custom PHP websites
-
Linux-based hosting environments
If you’re a WordPress user, this method is especially useful after malware cleanup plugins remove infected files but leave broken permissions behind.
Important Security Tip (Must Read)
Once permissions are fixed and your website is working normally:
👉 Delete the fixpermissions.php file immediately.
Leaving such a script on your server can be risky if someone discovers it. Even though it’s not malicious, it still performs sensitive operations.
Common Problems This Fix Solves
By using this method to Fix Files and Folders Permissions, you can instantly resolve:
-
WordPress “unable to write to directory” errors
-
Plugin or theme installation failures
-
Media upload permission issues
-
403 Forbidden errors caused by wrong chmod
-
Broken admin dashboards after malware attacks
It’s often the missing step people overlook after removing malware.
Additional Hardening After Fixing Permissions
Fixing permissions is a big step, but don’t stop there. For long-term server security, consider:
-
Updating WordPress core, themes, and plugins
-
Changing FTP, cPanel, and database passwords
-
Scanning the site again for hidden backdoors
-
Disabling file editing in WordPress (
wp-config.php) -
Using a web application firewall (WAF)
Permissions alone won’t protect you if vulnerabilities remain.
Why This Method Is Better Than Manual chmod
You can fix permissions using File Manager or SSH, but that approach has drawbacks:
-
Time-consuming on large sites
-
High chance of human error
-
Not beginner-friendly
-
Difficult on shared hosting without SSH
This PHP-based solution is fast, repeatable, and practical—especially for site owners who want a reliable fix without deep server access.
Final Thoughts
Malware attacks are stressful, but recovering from them doesn’t have to be complicated. When permissions are altered, even a clean website can behave like it’s still broken. That’s why knowing how to Fix Files and Folders Permissions is a must-have skill for website owners, developers, and WordPress users.
With the simple PHP script shared above, you can restore safe permissions in seconds, run it multiple times if needed, and bring your website back to normal—without guesswork.
Just remember: fix, verify, and then delete the script.
